WEBVTT

00:00.540 --> 00:05.040
One of the most important things you can do to make sure that you've got good security on your systems

00:05.340 --> 00:08.310
is to make sure that you've got good physical hardening.

00:08.310 --> 00:12.810
Now what I'm talking about physical hard to do and I don't mean pour concrete all over it or cover it

00:12.810 --> 00:14.040
with steel plates.

00:14.040 --> 00:19.470
Instead what I'm talking about is that your typical system is covered with ports and connections and

00:19.470 --> 00:24.540
all kinds of stuff that either inadvertent or evil people can take advantage of.

00:24.540 --> 00:29.160
So what we're going to be doing is talking about how to deal with that as well as talk about some of

00:29.160 --> 00:33.550
the evil things that can happen with C-p use that need a little extra help.

00:33.660 --> 00:39.740
So the first place I want to talk about more than anything else is removable media controls now.

00:40.080 --> 00:47.160
I'm old school so I still like to have a CD DVD on my system but removable media is still a real issue.

00:47.160 --> 00:49.820
Now the one thing I'm not talking about here is USP.

00:49.820 --> 00:52.130
We'll save that for a little bit later.

00:52.320 --> 00:56.160
What I am talking about is mainly optical media more than anything else.

00:56.880 --> 01:01.590
It's a trick to be able to make sure that you can deal with this stuff.

01:01.740 --> 01:06.600
What if you don't want people throwing CD-ROMs into their system and installing stuff.

01:06.750 --> 01:10.800
Or worse yet what if the auto play kicks in and automatically does naughtiness.

01:10.800 --> 01:13.680
Luckily for us there's very easy controls on this.

01:13.680 --> 01:16.980
So what I want to do is we're going to handle this from the operating system level.

01:16.980 --> 01:21.800
Do keep in mind if you want to do a lot of systems allow you to simply shut off optical media.

01:21.810 --> 01:27.750
But let's do a little bit more elegantly to do that within Windows although every operating system has

01:27.750 --> 01:29.240
something similar to this.

01:29.250 --> 01:34.290
We're actually going to go into a local computer policy and configure it so that people can do only

01:34.290 --> 01:37.590
certain things with their removable media.

01:39.500 --> 01:43.130
So on this particular system here I'm going to run in and see

01:45.810 --> 01:48.270
and I'm going to add myself a plug in

01:51.560 --> 01:56.450
in this particular aspect I'm going use Group Policy objects just for my local computer

01:59.260 --> 02:01.430
and what I've got is my local computer policy.

02:01.430 --> 02:06.190
Now I need to stress right now that if I wanted to and you can do this with just about any operating

02:06.190 --> 02:11.470
system I can set it up for the system as a whole so that nobody can do anything on optical media but

02:11.470 --> 02:15.640
I could also set it up for individual users in this particular example I'm going to set it up for the

02:15.640 --> 02:16.730
computer as a whole.

02:16.750 --> 02:23.110
But keep in mind that every OS would let you set it up so that Mike Myers can never run executable files

02:23.110 --> 02:24.910
on DVD stuff like that.

02:25.180 --> 02:31.450
OK so first thing we're going to do is let's go into our computer configuration because I want to do

02:31.450 --> 02:35.170
it for the whole computer and we'll go under administrative templates.

02:36.200 --> 02:43.670
And it's come down here to system and scroll all the way to removable storage access.

02:43.680 --> 02:44.850
There it is.

02:44.850 --> 02:49.080
Now if you take a look here you can see we got a lot of very very tight controls here.

02:49.170 --> 02:55.980
Floppy drives removable disk in this case we're talking about removable drives IDs CDs DVDs.

02:55.980 --> 03:02.490
Let's just have fun let's just say I want to set it up so nobody can read any optical media on this

03:02.490 --> 03:05.430
system you see right now it's not configured.

03:05.430 --> 03:09.810
So I'm just going to fire this up and enable it.

03:11.310 --> 03:20.350
And if I hit OK I've said it up in such a way that nobody is going to be able to read any optical media.

03:20.520 --> 03:26.400
But let me go and turn that off because I'm just the kind of person who's going to forget which is go

03:26.400 --> 03:28.550
to not configured.

03:28.790 --> 03:30.380
And we've turned that back off.

03:30.410 --> 03:36.350
So every operating systems a little bit different in terms of how it handles removable media controls

03:36.560 --> 03:39.910
but in Windows it's done through a local computer policy.

03:39.920 --> 03:45.200
Now the next thing I want to do under physical hardening is something called Data execution prevention

03:45.230 --> 03:46.760
or DGP.

03:46.980 --> 03:54.050
DP is a problem that was discovered a few years back where evil guys could actually execute programs

03:54.230 --> 03:55.400
in certain parts of memory.

03:55.400 --> 03:56.820
They weren't supposed to.

03:57.020 --> 04:02.170
So this really is a hardware issue even though it seems to be that we only use software to fix it.

04:02.180 --> 04:05.830
So let me show you were DTP sets at least within the world of Windows.

04:06.170 --> 04:13.320
So the first thing I'm going to do is I'm going to type in system and under System we go to advanced

04:13.320 --> 04:21.270
system settings and we click under performance and if you look right here this is data execution prevention

04:21.600 --> 04:26.890
and you'll notice it's on for pretty much anybody who needs it.

04:26.910 --> 04:34.680
DP by default is a good thing and there's very very few situations where people do not want to turn

04:34.860 --> 04:35.990
off DGP.

04:36.000 --> 04:41.830
However if you take a look on the screen here you can actually go in and add executable programs.

04:41.850 --> 04:47.820
I've got to tell you he's been around for close to 10 years now and I have never once had to go in there.

04:47.820 --> 04:53.520
However that's on the exams so you have been fully covered at least in terms of understanding how to

04:53.520 --> 04:55.110
turn on or turn off.

04:55.120 --> 05:02.100
DP Now the last one that I want to talk about when it comes to physical hardening is actually pretty

05:02.100 --> 05:02.740
interesting.

05:02.740 --> 05:07.130
Here we're going to be talking about disabling ports however to disable ports.

05:07.200 --> 05:11.850
We're going to have to go into the bias so I'm going to point a camera right at the screen so you can

05:11.850 --> 05:14.300
watch me do some biased changes already.

05:14.640 --> 05:19.410
OK folks here we are in my EFI bias on this particular system.

05:19.560 --> 05:24.810
And now keep in mind what I'm about to show you changes on every different bias.

05:24.810 --> 05:26.640
So keep that in mind as I show you.

05:26.640 --> 05:33.020
So on this particular bias we go into peripherals and when I'm looking for is I want to turn off ports.

05:33.030 --> 05:39.200
So first of all I cannot actually turn off my U.S. ports and that's a big one.

05:39.210 --> 05:40.690
A lot of people worry about.

05:40.760 --> 05:41.700
It's a matter of fact.

05:41.700 --> 05:45.310
There would be a lot of security people who would not like this particular motherboard.

05:45.330 --> 05:52.080
However I can do this USP mass storage drivers support route.

05:52.100 --> 05:53.710
You can see that I've got it disabled.

05:53.710 --> 05:59.740
The reason it's disabled is somebody can plug in a USP device they can plug in a mouse and the mouse

05:59.740 --> 06:00.260
will work.

06:00.340 --> 06:05.230
But if they try to plug in a thumb drive to copy data it's not going to work for them.

06:05.230 --> 06:09.020
So keep in mind all of these are easily toggled enabled and disabled.

06:09.070 --> 06:11.960
So now people can start using the thumb drives again properly.

06:11.980 --> 06:13.280
Let's go and turn that off.

06:16.770 --> 06:20.860
The other thing we could do is we can turn off just about any port.

06:20.910 --> 06:23.930
I'm not going to go showing you every different port we can turn off here.

06:24.120 --> 06:30.720
But one of the things that I like to use our legacy ports on this particular motherboard it actually

06:30.720 --> 06:37.230
still has a Sapir a serial port and a parallel port serial ports are particularly notorious for bad

06:37.230 --> 06:38.620
guys to get into.

06:38.880 --> 06:42.100
So I'm going to go ahead and disable that one as well.

06:42.540 --> 06:46.580
And then that way I've got ports turned off.

06:46.620 --> 06:51.420
So with all the different things we've seen and physical hardening the one thing I really can't stress

06:51.420 --> 06:58.350
enough is shutting off those ports in law enforcement scenarios in a lot of high proprietary scenarios

06:58.710 --> 07:06.550
not turning off ports and in particular U.S. ports is a recipe for I.T. Security Disasters.

07:06.710 --> 07:10.830
And

07:13.850 --> 07:18.270
and

07:21.630 --> 07:25.200
and.